WHAT DATA SECURITY REGULATIONS AFFECT MY COMPANY?

State, federal, and international regulations continue to adapt to today’s digital world. These laws improve data security and protect your customers. But failure to keep up with changes in the law can result in major fines, stolen customer information, and a damaged reputation.

Do you have a website?

If you collect information of any kind on your website — for example, an email newsletter signup or contact form — or if you use Google Analytics or capture any other kind of analytics, you need a Privacy Policy and Terms & Conditions. These documents must be linked prominently from your website, usually in the website footer.

A Privacy Policy is a required statement that outlines the ways you gather, use, disclose, and manage customer data.

Terms and Conditions are a legally-binding agreement between your company and the visitor to your website. This commonly outlines how visitors may use the information on your website and limits (or attempts to limit) your company’s liability related to materials on your website and how users interact with them.

Do you handle data on EU citizens?

You must comply with EU GDPR. The European Union’s General Data Protection Regulation, which goes into effect May 25, 2018, is a sweeping update to the EU’s existing 1995 law, the Data Protection Act or Directive 95/46/EC.

Under GDPR, the privacy of EU residents’ personal information is protected by requiring companies that handle or process that information to comply with a wide set of privacy, consent, notification, and data retention regulations.

Are you based in MA or do you handle information on Massachusetts residents?

You must comply with MA 201 CMR 17.00. These are the minimum standards for the protection of personal information of Massachusetts residents, designed to protect residents against threats, unauthorized access, and breached confidentiality.

A major component of compliance with MA 201 CMR 17.00 is the development of a Written Information Security Plan (WISP). This document outlines the steps your company takes to protect sensitive personal information and establishes a process for reporting data breaches.

In the unfortunate event your company experiences a data breach, there are automatic fines right off the bat if you don’t have a WISP in place.

Do you offer financial products or services, like loans, investment advice, or insurance?

If so, then the GLBA is for you. GLBA (Gramm-Leach-Bliley Act) mandates that companies secure the private information of clients and customers, and are required to explain how they share and protect that information. Most accounting firms and tax preparers are also subject to GLBA.

Additionally, depending on the nature of your business, companies in the financial industry may be subject to other regulations and requirements, such as regulations from the SEC (U.S. Securities and Exchange Commission) or rules from the FTC (Federal Trade Commission) and the IRS.

Do you handle credit card information?

You must comply with PCI-DSS (the Payment Card Industry Data Security Standard). This is a set of 12 security regulations designed to reduce fraud and protect customer credit card information. It applies to anyone that accepts, processes, stores, or transmits credit card information.

Do you handle student educational records?

Schools, universities, and any organization that handles student educational records must comply with FERPA if they receive federal funding of any kind.

Are you a contractor, supplier, or manufacturer for the federal government?

Depending on the nature of your business, security requirements such as FAR, ITAR, and DFARS may apply.With DFARS (Defense Federal Acquisition Regulation), all Department of Defense (DoD) contractors that process, store, or transmit Controlled Unclassified Information (CUI) must meet the minimum security standards or they risk losing their DoD contracts. ITAR (International Traffic in Arms Regulations) involves securing data files shared between the U.S Military and its military contractors.Generally speaking, these regulations require implementation of the security controls outlined in NIST SP 800-171 and the development of applicable security policies and procedures.